[go: up one dir, main page]

US20080117903A1 - Apparatus and method for high speed and large amount of data packet capturing and replaying - Google Patents

Apparatus and method for high speed and large amount of data packet capturing and replaying Download PDF

Info

Publication number
US20080117903A1
US20080117903A1 US11/875,359 US87535907A US2008117903A1 US 20080117903 A1 US20080117903 A1 US 20080117903A1 US 87535907 A US87535907 A US 87535907A US 2008117903 A1 US2008117903 A1 US 2008117903A1
Authority
US
United States
Prior art keywords
packets
volatile memory
capturing
memory
replaying
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US11/875,359
Inventor
Sezen Uysal
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to US11/875,359 priority Critical patent/US20080117903A1/en
Publication of US20080117903A1 publication Critical patent/US20080117903A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
    • H04L69/322Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
    • H04L69/324Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the data link layer [OSI layer 2], e.g. HDLC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2101Auditing as a secondary aspect

Definitions

  • Packet capturing is used for various reasons such as monitoring, security, network or application analysis. Similarly packet replaying is used to mimic a live traffic for regenerating certain network traffic or conditions in an controlled test environment.
  • the main challenge of the packet capturing is to achieve high speeds and to receive every packet that are seen in the network. Generating packets from previously captured packets at high speed is also not an easy task on today's server systems using general purpose processors.
  • This invention proposes a software solution running on a general purpose PC to capture and replay packets at high speed.
  • a method for high speed packet capturing and replaying on a PC system is introduced.
  • a software application running at operating system's (for example Linux, FreeBSD, or Unix) memory space captures and replays packets to/from a dedicated section of the volatile system memory.
  • Carefully written software application receives the packets from network interface card and directly puts them into reserved memory space without using any memory copying functions which creates latency and hence low packet capturing speeds.
  • An additional application running on an idle processor is used to write and read from non-volatile memory system (e.g. RAID system, fast flash memory) for processing much larger traffic amounts.
  • non-volatile memory system e.g. RAID system, fast flash memory
  • FIG. 1 depicts functional block diagram of the invention. It also shows the flow of packets during both capturing and replaying.
  • FIG. 2 depicts system components of the invention. It also shows how the components are connected in reference to flow of packets.
  • FIG. 1 shows the functional block diagram and the flow of captured and replayed packets.
  • the system consists of at least one high speed Network Interface Card (NIC), a computer system with a volatile memory and a local or an external non-volatile data storage system.
  • NIC Network Interface Card
  • NIC When NIC receives packets ( 101 ), the packets are first examined by the packet filtering module. Packet filtering allows capturing only significant packets and either delete or forward the non-matching packets ( 105 , 106 ). Then the packets are processed by the packet capturing engine to mark their arrival times ( 102 ) and to be moved to volatile memory ( 103 ). Fast volatile memory provides a buffer to move packets in chunks at high speeds directly into memory system without performing any high latency memory copying operations.
  • another application empties the buffer by storing the packets into a non-volatile memory system such as RAID, or into fast flash memory in real-time or after capturing is over ( 104 ). These packets can be processed for analysis or for high speed replay.
  • a non-volatile memory system such as RAID
  • fast flash memory in real-time or after capturing is over ( 104 ).
  • packets are read from the storage media ( 107 ) into the fast volatile memory.
  • packets can be filtered to pick certain ones to replay ( 108 ).
  • packets are processed by the replay engine for scheduling their sent times ( 109 ).
  • the packets can be replayed either at their original speed or they can be sent at different speeds.
  • packet contents can be modified or some network impairments such as packet loss, jitter can be introduced by the processing engine ( 110 ).
  • packets are processed by the NIC for transmission ( 106 ).
  • FIG. 2 shows the system components and depicts the operations at the hardware and software component level.
  • the Ethernet packets are first received by the Network Interface Card (NIC), ( 201 ). After marking the arrival times inside the packet data structure, the NIC with the help of processor moves the packets ( 202 ) to the dedicated memory location in the volatile system memory ( 203 ). A software application would then process these packets for filtering and moving them to the non-volatile memory for future processing or replaying ( 204 ).
  • NIC Network Interface Card
  • Packet replaying works in a similar way but in opposite order. Packets previously stored in the non-volatile memory are first moved to the reserved memory location ( 204 , 203 ). After optionally filtering, the NIC is informed to send the packets based on the original arrival times of the packets ( 202 , 201 ).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

This invention is an apparatus and a method to capture large amount of live packet traffic at high speeds into volatile memory first and then saving them into non-volatile memory for future replays. Direct capturing packets into system memory allows achieving theoretical maximum speed of the network media, for example 1.4 million packets with 64 byte size per second for gigabit Ethernet networks. Captured packets, which are eventually saved in the non-volatile memory, can be replayed later, optionally by modifying the speed and the content of the traffic in real time. Similarly while replaying packets, the system moves the packets into volatile memory first and then sends them from there to achieve high speeds. Optionally filtering can be used to selectively capture and replay certain packets.

Description

    BACKGROUND OF INVENTION
  • Packet capturing is used for various reasons such as monitoring, security, network or application analysis. Similarly packet replaying is used to mimic a live traffic for regenerating certain network traffic or conditions in an controlled test environment.
  • The main challenge of the packet capturing is to achieve high speeds and to receive every packet that are seen in the network. Generating packets from previously captured packets at high speed is also not an easy task on today's server systems using general purpose processors.
  • There are various solutions to provide high speed traffic capturing and replaying. All of these solutions use either a network processor, an ASIC designed to have high speed packet capture or an FPGA solution programmed for high speed packet processing. All of these solutions are expensive and not flexible for future speeds and additional functionalities as underlying packet processing hardware is specifically designed for these tasks only.
  • This invention proposes a software solution running on a general purpose PC to capture and replay packets at high speed.
    • SUMMARY OF INVENTION
  • A method for high speed packet capturing and replaying on a PC system is introduced. A software application running at operating system's (for example Linux, FreeBSD, or Unix) memory space captures and replays packets to/from a dedicated section of the volatile system memory.
  • Carefully written software application receives the packets from network interface card and directly puts them into reserved memory space without using any memory copying functions which creates latency and hence low packet capturing speeds.
  • Similarly, directly accessing packets without any copy functions from a reserved memory location and sending them to network interface card allows users to achieve high speed packet replaying.
  • As memory prices are relatively low and there are PC systems which provides systems with large memory space it is possible to capture and replay a lot of network traffic at high speed.
  • An additional application running on an idle processor is used to write and read from non-volatile memory system (e.g. RAID system, fast flash memory) for processing much larger traffic amounts.
    • BRIEF DESCRIPTION OF DRAWINGS
  • FIG. 1 depicts functional block diagram of the invention. It also shows the flow of packets during both capturing and replaying.
  • FIG. 2 depicts system components of the invention. It also shows how the components are connected in reference to flow of packets.
    • DETAILED DESCRIPTION
  • FIG. 1 shows the functional block diagram and the flow of captured and replayed packets. The system consists of at least one high speed Network Interface Card (NIC), a computer system with a volatile memory and a local or an external non-volatile data storage system.
  • When NIC receives packets (101), the packets are first examined by the packet filtering module. Packet filtering allows capturing only significant packets and either delete or forward the non-matching packets (105, 106). Then the packets are processed by the packet capturing engine to mark their arrival times (102) and to be moved to volatile memory (103). Fast volatile memory provides a buffer to move packets in chunks at high speeds directly into memory system without performing any high latency memory copying operations.
  • During that process, optionally another application empties the buffer by storing the packets into a non-volatile memory system such as RAID, or into fast flash memory in real-time or after capturing is over (104). These packets can be processed for analysis or for high speed replay.
  • During replay, packets are read from the storage media (107) into the fast volatile memory. Optionally, packets can be filtered to pick certain ones to replay (108). After filtering, packets are processed by the replay engine for scheduling their sent times (109). The packets can be replayed either at their original speed or they can be sent at different speeds. Again optionally, packet contents can be modified or some network impairments such as packet loss, jitter can be introduced by the processing engine (110). Finally packets are processed by the NIC for transmission (106).
  • FIG. 2 shows the system components and depicts the operations at the hardware and software component level. The Ethernet packets are first received by the Network Interface Card (NIC), (201). After marking the arrival times inside the packet data structure, the NIC with the help of processor moves the packets (202) to the dedicated memory location in the volatile system memory (203). A software application would then process these packets for filtering and moving them to the non-volatile memory for future processing or replaying (204).
  • Packet replaying works in a similar way but in opposite order. Packets previously stored in the non-volatile memory are first moved to the reserved memory location (204, 203). After optionally filtering, the NIC is informed to send the packets based on the original arrival times of the packets (202, 201).
  • During the capturing and replaying processes packets are copied only once in volatile memory to and from the non-volatile memory to minimize the processing latency. With this method, theoretical wire speed of the network media can be achieved.

Claims (6)

1. An apparatus for capturing packets from a network connection into a volatile memory directly without any memory copy operations to achieve high capturing speeds; said apparatus containing non-volatile memory, volatile memory, generic Ethernet network interface cards, and general purpose processors with Intel architecture.
2. An apparatus for replaying packets from a volatile memory system directly to a generic network connection without any memory copy operations to achieve high replaying speeds; said apparatus containing non-volatile memory, volatile memory, generic Ethernet network interface cards, and general purpose processors with Intel architecture.
3. A method for capturing packets into a volatile memory system directly without any memory copy operations to achieve high capturing speeds; said method using non-volatile memory, volatile memory, generic Ethernet network interface cards, and general purpose processors with Intel architecture.
4. A method for replaying packets from a volatile memory system directly without any memory copy operations to achieve high replaying speeds; said method using non-volatile memory, volatile memory, generic Ethernet network interface cards, and general purpose processors with Intel architecture.
5. An apparatus for saving captured packets into a non-volatile memory during packet capturing or after capturing by directly copying into non-volatile storage system without any memory copy operations and by using an available idle processor.
6. A method for saving captured packets into a non-volatile memory during packet capturing or after capturing by directly copying into non-volatile storage system without any memory copy operations and by using an available idle processor.
US11/875,359 2006-10-20 2007-10-19 Apparatus and method for high speed and large amount of data packet capturing and replaying Abandoned US20080117903A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US11/875,359 US20080117903A1 (en) 2006-10-20 2007-10-19 Apparatus and method for high speed and large amount of data packet capturing and replaying

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US86223906P 2006-10-20 2006-10-20
US11/875,359 US20080117903A1 (en) 2006-10-20 2007-10-19 Apparatus and method for high speed and large amount of data packet capturing and replaying

Publications (1)

Publication Number Publication Date
US20080117903A1 true US20080117903A1 (en) 2008-05-22

Family

ID=39416870

Family Applications (1)

Application Number Title Priority Date Filing Date
US11/875,359 Abandoned US20080117903A1 (en) 2006-10-20 2007-10-19 Apparatus and method for high speed and large amount of data packet capturing and replaying

Country Status (1)

Country Link
US (1) US20080117903A1 (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090182953A1 (en) * 2004-12-23 2009-07-16 Solera Networks. Inc. Method and apparatus for network packet capture distributed storage system
US20090225767A1 (en) * 2008-03-05 2009-09-10 Inventec Corporation Network packet capturing method
US20090292736A1 (en) * 2008-05-23 2009-11-26 Matthew Scott Wood On demand network activity reporting through a dynamic file system and method
US20090290501A1 (en) * 2008-05-23 2009-11-26 Levy Joseph H Capture and regeneration of a network data using a virtual software switch
US20100195538A1 (en) * 2009-02-04 2010-08-05 Merkey Jeffrey V Method and apparatus for network packet capture distributed storage system
US20110125748A1 (en) * 2009-11-15 2011-05-26 Solera Networks, Inc. Method and Apparatus for Real Time Identification and Recording of Artifacts
US20110125749A1 (en) * 2009-11-15 2011-05-26 Solera Networks, Inc. Method and Apparatus for Storing and Indexing High-Speed Network Traffic Data
US8347021B1 (en) * 2010-04-09 2013-01-01 Google Inc. Storing application messages
US8521732B2 (en) 2008-05-23 2013-08-27 Solera Networks, Inc. Presentation of an extracted artifact based on an indexing technique
US8625642B2 (en) 2008-05-23 2014-01-07 Solera Networks, Inc. Method and apparatus of network artifact indentification and extraction
US8666985B2 (en) 2011-03-16 2014-03-04 Solera Networks, Inc. Hardware accelerated application-based pattern matching for real time classification and recording of network traffic
US8849991B2 (en) 2010-12-15 2014-09-30 Blue Coat Systems, Inc. System and method for hypertext transfer protocol layered reconstruction

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060103892A1 (en) * 2004-11-18 2006-05-18 Schulze Mark A System and method for a vector difference mean filter for noise suppression

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060103892A1 (en) * 2004-11-18 2006-05-18 Schulze Mark A System and method for a vector difference mean filter for noise suppression

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090219829A1 (en) * 2004-12-23 2009-09-03 Solera Networks, Inc. Method and apparatus for network packet capture distributed storage system
US7684347B2 (en) 2004-12-23 2010-03-23 Solera Networks Method and apparatus for network packet capture distributed storage system
US20090182953A1 (en) * 2004-12-23 2009-07-16 Solera Networks. Inc. Method and apparatus for network packet capture distributed storage system
US7855974B2 (en) 2004-12-23 2010-12-21 Solera Networks, Inc. Method and apparatus for network packet capture distributed storage system
US20090225767A1 (en) * 2008-03-05 2009-09-10 Inventec Corporation Network packet capturing method
US8521732B2 (en) 2008-05-23 2013-08-27 Solera Networks, Inc. Presentation of an extracted artifact based on an indexing technique
US20090292736A1 (en) * 2008-05-23 2009-11-26 Matthew Scott Wood On demand network activity reporting through a dynamic file system and method
US20090290501A1 (en) * 2008-05-23 2009-11-26 Levy Joseph H Capture and regeneration of a network data using a virtual software switch
US8625642B2 (en) 2008-05-23 2014-01-07 Solera Networks, Inc. Method and apparatus of network artifact indentification and extraction
US20100195538A1 (en) * 2009-02-04 2010-08-05 Merkey Jeffrey V Method and apparatus for network packet capture distributed storage system
US20110125749A1 (en) * 2009-11-15 2011-05-26 Solera Networks, Inc. Method and Apparatus for Storing and Indexing High-Speed Network Traffic Data
US20110125748A1 (en) * 2009-11-15 2011-05-26 Solera Networks, Inc. Method and Apparatus for Real Time Identification and Recording of Artifacts
US8347021B1 (en) * 2010-04-09 2013-01-01 Google Inc. Storing application messages
US8849991B2 (en) 2010-12-15 2014-09-30 Blue Coat Systems, Inc. System and method for hypertext transfer protocol layered reconstruction
US8666985B2 (en) 2011-03-16 2014-03-04 Solera Networks, Inc. Hardware accelerated application-based pattern matching for real time classification and recording of network traffic

Similar Documents

Publication Publication Date Title
US20080117903A1 (en) Apparatus and method for high speed and large amount of data packet capturing and replaying
US7581077B2 (en) Method and system for transferring data in a storage operation
CN102045305B (en) Method and system for monitoring and tracking multimedia resource transmission
CN110750497A (en) Data scheduling system
CN108073349A (en) The transmission method and device of data
US7941569B2 (en) Input/output tracing in a protocol offload system
CN109032910A (en) Log collection method, device and storage medium
CN103235754A (en) Method and device for processing requests in distributed file system
CN109416617A (en) Duplication between heterogeneous storage system
Moreno et al. Packet storage at multi-gigabit rates using off-the-shelf systems
CN107967118A (en) A kind of method and apparatus realized hard disc data high speed dump and checked
CN108989605A (en) A kind of image capturing and transmitting system and method
CN110989935A (en) Data processing and transmitting method and device of flash system
CN113038261A (en) Video generation method, device, equipment, system and storage medium
US20100311451A1 (en) Data processing system
JPWO2015198600A1 (en) Analysis device, analysis method, and analysis program
CN111131243B (en) DPI system strategy processing method and device
CN110445826A (en) A kind of session information acquisition methods, device and server
CN118964126A (en) A method, system and medium for dynamically managing detection points in Linux
CN106055663B (en) A video storage method based on dual-system hot backup
CN106557530A (en) Operation system, data recovery method and device
Sudhakaran et al. AmpleDroid recovering large object files from Android application memory
CN109726181B (en) Data processing method and data processing device
CN100419689C (en) Processing method for interruption and apparatus thereof
CN114721580A (en) Interplanetary file system IPFS, data storage method, device and communication node

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION